[kernel] r10576 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Tue Feb 19 07:21:42 UTC 2008 

Author: dannf
Date: Tue Feb 19 07:21:41 2008
New Revision: 10576

Log:
* mmap-VM_DONTEXPAND.dpatch
  [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register
  a fault handler but do not bounds check the offset argument
  See CVE-2008-0007

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mmap-VM_DONTEXPAND.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Tue Feb 19 07:21:41 2008
@@ -73,8 +73,12 @@
     [SECURITY] Avoid seeding with the same values at boot time when a
     system has no entropy source
     See CVE-2007-2453
+  * mmap-VM_DONTEXPAND.dpatch
+    [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register
+    a fault handler but do not bounds check the offset argument
+    See CVE-2008-0007
 
- -- dann frazier <dannf at debian.org>  Thu, 14 Feb 2008 15:32:34 -0700
+ -- dann frazier <dannf at debian.org>  Tue, 19 Feb 2008 00:18:26 -0700
 
 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mmap-VM_DONTEXPAND.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mmap-VM_DONTEXPAND.dpatch	Tue Feb 19 07:21:41 2008
@@ -0,0 +1,122 @@
+From: Nick Piggin <npiggin at suse.de>
+Date: Sat, 2 Feb 2008 02:08:53 +0000 (+0100)
+Subject: vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007)
+X-Git-Tag: v2.6.22.17~1
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.22.y.git;a=commitdiff_plain;h=83af8eda68a3f0c227d0eb05348e58ae27a62e7e
+
+vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007)
+
+Drivers that register a ->fault handler, but do not range-check the
+offset argument, must set VM_DONTEXPAND in the vm_flags in order to
+prevent an expanding mremap from overflowing the resource.
+
+I've audited the tree and attempted to fix these problems (usually by
+adding VM_DONTEXPAND where it is not obvious).
+
+Signed-off-by: Nick Piggin <npiggin at suse.de>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+commit 70fc53fa115cefe9ddb33bc284f77a7b10fabbbf
+Author: Willy Tarreau <w at 1wt.eu>
+Date:   Sun Feb 3 18:32:33 2008 +0100
+
+    security: insufficient range checks in certain fault handlers
+    
+    This is the 2.4 version of Nick Piggin's work on 2.6 fault handlers.
+    This deals with security vulnerability CVE-2008-0007.
+    
+    Drivers that register a ->nopage handler, that does not range-check its
+    offset argument, must set VM_DONTEXPAND in the vm_flags to ensure the
+    offset is within bounds.
+    
+    Signed-off-by: Willy Tarreau <w at 1wt.eu>
+
+Ported to Debian's 2.6.8 by dann frazier <dannf at debian.org>
+
+diff --git a/drivers/char/drm-4.0/vm.c b/drivers/char/drm-4.0/vm.c
+index f25aaa5..ef50f2d 100644
+--- a/drivers/char/drm-4.0/vm.c
++++ b/drivers/char/drm-4.0/vm.c
+@@ -256,6 +256,7 @@ int drm_mmap_dma(struct file *filp, struct vm_area_struct *vma)
+ 
+ 	vma->vm_ops   = &drm_vm_dma_ops;
+ 	vma->vm_flags |= VM_LOCKED | VM_SHM; /* Don't swap */
++	vma->vm_flags |= VM_DONTEXPAND;
+ 	
+ #if LINUX_VERSION_CODE < 0x020203 /* KERNEL_VERSION(2,2,3) */
+ 				/* In Linux 2.2.3 and above, this is
+@@ -358,6 +359,7 @@ int drm_mmap(struct file *filp, struct vm_area_struct *vma)
+ 		return -EINVAL;	/* This should never happen. */
+ 	}
+ 	vma->vm_flags |= VM_LOCKED | VM_SHM; /* Don't swap */
++	vma->vm_flags |= VM_DONTEXPAND;
+ 
+ #if LINUX_VERSION_CODE < 0x020203 /* KERNEL_VERSION(2,2,3) */
+ 				/* In Linux 2.2.3 and above, this is
+diff --git a/drivers/char/drm/drm_vm.h b/drivers/char/drm/drm_vm.h
+index 4eadbf0..337a1a8 100644
+--- a/drivers/char/drm/drm_vm.h
++++ b/drivers/char/drm/drm_vm.h
+@@ -342,6 +342,7 @@ int DRM(mmap_dma)(struct file *filp, struct vm_area_struct *vma)
+ 
+ 	vma->vm_ops   = &DRM(vm_dma_ops);
+ 	vma->vm_flags |= VM_RESERVED; /* Don't swap */
++	vma->vm_flags |= VM_DONTEXPAND;
+ 	vma->vm_file  =	 filp;	/* Needed for drm_vm_open() */
+ 	DRM(vm_open)(vma);
+ 	return 0;
+@@ -475,6 +476,7 @@ int DRM(mmap)(struct file *filp, struct vm_area_struct *vma)
+ 		return -EINVAL;	/* This should never happen. */
+ 	}
+ 	vma->vm_flags |= VM_RESERVED; /* Don't swap */
++	vma->vm_flags |= VM_DONTEXPAND;
+ 
+ 	vma->vm_file  =	 filp;	/* Needed for drm_vm_open() */
+ 	DRM(vm_open)(vma);
+diff --git a/drivers/sound/via82cxxx_audio.c b/drivers/sound/via82cxxx_audio.c
+index 864f164..db5da3c 100644
+--- a/drivers/sound/via82cxxx_audio.c
++++ b/drivers/sound/via82cxxx_audio.c
+@@ -2111,6 +2111,7 @@ static struct page * via_mm_nopage (struct vm_area_struct * vma,
+ {
+ 	struct via_info *card = vma->vm_private_data;
+ 	struct via_channel *chan = &card->ch_out;
++	unsigned long max_bufs;
+ 	struct page *dmapage;
+ 	unsigned long pgoff;
+ 	int rd, wr;
+@@ -2135,14 +2136,11 @@ static struct page * via_mm_nopage (struct vm_area_struct * vma,
+ 	rd = card->ch_in.is_mapped;
+ 	wr = card->ch_out.is_mapped;
+ 
+-#ifndef VIA_NDEBUG
+-	{
+-	unsigned long max_bufs = chan->frag_number;
+-	if (rd && wr) max_bufs *= 2;
+-	/* via_dsp_mmap() should ensure this */
+-	assert (pgoff < max_bufs);
+-	}
+-#endif
++	max_bufs = chan->frag_number;
++	if (rd && wr)
++		max_bufs *= 2;
++	if (pgoff >= max_bufs)
++		return NOPAGE_SIGBUS;
+ 
+ 	/* if full-duplex (read+write) and we have two sets of bufs,
+ 	 * then the playback buffers come first, sez soundcard.c */
+diff --git a/fs/ncpfs/mmap.c b/fs/ncpfs/mmap.c
+index 7d9bc34..dd8cb1a 100644
+--- a/fs/ncpfs/mmap.c
++++ b/fs/ncpfs/mmap.c
+@@ -47,9 +47,6 @@ static struct page* ncp_file_mmap_nopage(struct vm_area_struct *area,
+ 	pos = address - area->vm_start + (area->vm_pgoff << PAGE_SHIFT);
+ 
+ 	count = PAGE_SIZE;
+-	if (address + PAGE_SIZE > area->vm_end) {
+-		count = area->vm_end - address;
+-	}
+ 	/* what we can read in one go */
+ 	bufsize = NCP_SERVER(inode)->buffer_size;
+ 

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	Tue Feb 19 07:21:41 2008
@@ -19,3 +19,4 @@
 + powerpc-chrp-null-deref.dpatch
 + random-bound-check-ordering.dpatch
 + random-fix-seeding-with-zero-entropy.dpatch
++ mmap-VM_DONTEXPAND.dpatch

More information about the Kernel-svn-changes mailing list